The European Digital Finance Strategy aims to promote digital finance in Europe while ensuring financial stability and consumer protection. It consists of three main components: the Digital Operational Resilience Act (DORA), Markets in Crypto-assets (MiCA) Regulation, and a proposal on Distributed Ledger Technology (DLT). This blog post focuses on the key aspects of the DORA proposal, particularly in relation to incident management at financial entities.
DORA, published by the European Commission, addresses the increasing ICT risks in the financial services sector by establishing a framework for operational resilience. It aims to enhance ICT risk management and governance, improve incident reporting and information sharing, manage ICT third-party risk, and implement resilience assessments. The European Commission estimates that incidents in the EU financial sector cost up to €27 billion per year, underscoring the importance of DORA.
Financial entities operating in the financial services sector, including credit institutions, investment firms, and insurance undertakings, will be subject to DORA. Additionally, firms categorized as critical ICT third-party service providers will also need to comply with the regulation. Expected to be published by the end of 2022, DORA will have a significant impact on incident management practices within financial entities.
The proposal outlines changes to ICT risk management processes, requiring senior management involvement in incidents, identification of potential sources of incidents, implementation of protective measures, and communication of incidents to relevant parties. It also emphasizes the importance of responding to and resolving incidents effectively, estimating impacts, and establishing communication and crisis management protocols.
Furthermore, DORA mandates post-incident reviews to analyze causes of disruptions and identify necessary improvements. Senior management will be required to report on incidents annually, emphasizing the need for accessible tools for incident response across the organization. The incident management process should include procedures for identifying, tracking, categorizing, and classifying incidents, assigning roles and responsibilities, and communicating with stakeholders.
In summary, DORA sets a comprehensive framework for incident management in the financial services sector, aiming to enhance operational resilience and mitigate ICT risks effectively. Financial entities will need to adapt their incident management processes to comply with the requirements outlined in the proposal. The focus of the criteria is on capturing the impact and severity of ICT-related incidents in financial entities. These incidents must be classified based on various factors such as the number of affected users, duration of the disruption, geographical spread, data losses, severity on ICT systems, criticality of services affected, and economic impact.
There is now a requirement for reporting incidents to the competent authority, with standardized formats for reporting to streamline the process and facilitate cross-entity learnings. Non-compliance with these regulations can result in significant repercussions, including temporary or permanent cessation of practices deemed necessary by the authority.
To aid in incident management and compliance with the new regulations, incident.io offers a comprehensive tool for managing incidents across business functions. It allows for quick declaration of incidents, communication with internal and external parties, tracking of actions, and follow-ups to ensure nothing is missed. Features such as Insights, Decision Flows, Workflows, and Post-mortems are particularly relevant to the requirements of the DORA proposal.
In conclusion, DORA will bring about significant changes in how financial entities handle incident management processes. It emphasizes the need for stronger involvement of senior management, robust plans for mitigating and responding to incidents, and improved reporting to regulators. incident.io is committed to supporting financial organizations in meeting these new requirements and enhancing their operational resilience.